Contact us

Privacy Policy

Last updated March 18, 2023

Purpose

This personal data protection policy (hereinafter referred to as the Policy) sets forth the basic principles for the processing of the personal data of the consumers, customers, suppliers, business partners, employees and others individuals, and determines the main activities for processing of personal data and data protection measures for undertakings operating under the direction and supervision of the LLC “AlgoBrains Solutions” (hereinafter referred to as the AlgoBrains Solutions or the organisation).

The purposes of this Policy are to ensure the protection of human rights and freedoms when processing the personal data, including privacy rights, personal and family secrecy, and to unify the organization's rules for personal data processing with the requirements of the international law and the laws of the countries where the organization operates.

In its everyday business operations, AlgoBrains Solutions makes use of a variety of data about identifiable individuals, including data about:

  • Current, past and prospective employees,
  • Customers
  • Users of it's websites
  • Other stakeholders

While collecting and using this data, the organisation is subject to a variety of legislation acts, controlling how such activities should be carried out and the safeguards that must be put in place to protect it.

AlgoBrains Solutions is committed to complying with the applicable laws and regulations related to Personal Data protection in the countries where the organisation operates.

Policy is reviewed annually and in case if significant changes take place within the organisation or in the relevant legislation.

Scope

The Policy is mandatory for all AlgoBrains Solutions employees, both staff and contractors, and all organisational units, including separate subdivisions. The Policy also applies to other persons if they are to participate in the personal data processing in the organisation, as well as in cases of the transfer of personal data to them in the established order under an agreements and contracts.

The Policy applies to any personal data, regardless of the type of media on which they are recorded.

The Policy is a public document of the AlgoBrains Solutions and any persons can get acquainted with it.

The Policy is developed on the basis of and in accordance with the requirements:

  • REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE
    COUNCIL of 27 April 2016 on the protection of personal data and on the free movement of such data, and repealing Directive 95/46 / EC (General Data Protection Regulation, GDPR);
  • the Law of the Republic of Azerbaijan on Personal Data of 11 May 2010 No 998-IIIQ
    (only available in Azerbaijani here)
    (https://www.dataguidance.com/notes/azerbaijan-data-protection-overview)

If, as a result of changes in the legislation of the countries in which the AlgoBrains Solutions undertakings are registered, any requirements of this Policy conflict with the legislation of these countries, such requirements will become invalid and the laws of the countries in which the AlgoBrains Solutions undertakings are registered will be applied before the time of introducing changes and additions to the Policy.

Key acts, regulations, directives, bills

The fundamental legal act regulating personal data protection in Belarus is the Law on Personal Data Protection of 7 May 2021 No. 99-Z which entered into force on 15 November 2021 (Data Protection Law).

The Personal Data Law of 11 May 2010 No 998-IIIQ (only available in Azerbaijani here)

The Law of 13 June 2008 No 651-IIIQ on Biometric Data (only available in Azerbaijani here) ('the Biometric Data Law').

The fundamental legal act regulating personal data protection in Belarus is the Law on Personal Data Protection of 7 May 2021 No. 99-Z which entered into force on 15 November 2021 (Data Protection Law).

The Rules on State Registration and De-registration of Information Systems of Personal Data Approved by the Decree No. 149 of the Cabinet of Ministers dated 17 August 2010 (only available in Azerbaijani here) ('the Rules on State Registration').

The Requirements for the Protection of Personal Data Approved by the Decree No. 161 of the Cabinet of Ministers dated 6 September 2010 (only available in Azerbaijani here).

The Decree No. 237 of the Cabinet of Ministers dated 17 December 2010 on Approval of the Information Systems of Personal Data which Are not Required To Be Registered (only available in Azerbaijani here) ('the Decree on Approval of the Information Systems').

The Rules on Annihilation of Information Stored in the Information System when the State Registration of the Information System of Personal Data is Terminated Approved by the Decree No. 238 of the Cabinet of Ministers dated 17 December 2010 (only available in Azerbaijani here).

The Regulations on Transmission of Personal Data Collected and Processed at Corporate Information Systems to Third Parties on Fee Basis Approved by the Decree No. 35 of the Cabinet of Ministers dated 2 March 2011(only available in Azerbaijani here) ('the Regulations').

The Rules on Entering Personal Identification Number into Information Systems of Personal Data and Use of it Approved by the Decree No. 49 of the Cabinet of Ministers dated 4 April 2011 (only available in Azerbaijani here).

Administrative Violations Code of the Republic of Azerbaijan of 29 December 2015 (only available in Azerbaijani here) ('the Administrative Violations Code').

Criminal Code of the Republic of Azerbaijan of 30 December 1999 (only available in Azerbaijani here) ('the Criminal Code').

Terms and definition

The following terms are used in this document with the corresponding definitions:

Personal data means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the personal data processing; where the purposes and means of such processing are determined by the law of the data subject location country, the controller or the specific criteria for its nomination may be provided for by the law of the data subject location country;

Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

Special categories of personal data means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, data concerning health or data concerning a natural person's sex life or sexual orientation, genetic data, biometric data for the purpose of uniquely identifying a natural person;

AlgoBrains Solutions undertakings means undertakings operating under the direction and supervision of the LLC «AlgoBrains Solutions».

Principles relating to personal data

Principles relating to personal data processing

Types of principles

Personal data shall be:

Types of principles

The lawfulness, fairness and transparency principle.

Personal data shall be:

Processed lawfully, fairly and in a transparent manner in relation to the data subject.

Types of principles

The purpose limitation principle.

Personal data shall be:

Collected for specified, explicit and legitimate purposes and shall not be further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes

Types of principles

The data minimisation principle

Personal data shall be:

Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed

Types of principles

The accuracy principle

Personal data shall be:

Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, depending on the purposes for which they are processed, are erased or corrected without delay;

Types of principles

The storage limitation principle

Personal data shall be:

Kept in a form which permits identification of data subjects for no longer than it is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to implementation of the appropriate technical and organisational measures to safeguard the rights and freedoms of the data subject.

Types of principles

The integrity and confidentiality principle

Personal data shall be:

Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures

AlgoBrains Solutions is committed to comply with all of these principles not only with the current processing of personal data, but also with the introduction of new methods and systems of processing. In respect of its activities as a controller, the organisation is ready to confirm compliance with the above principles to the supervisory authority upon request ('the accountability principle').

Lawfulness of processing

AlgoBrains Solutions determines the legal basis before the start of personal data processing as a controller.

If the organisation as a controller processes special category of personal data, or data related to criminal convictions and offenses, the organisation identifies both a legal basis for general processing and separate conditions for processing these types of data.

AlgoBrains Solutions keeps reasonable, documented evidence of the legitimacy of the personal data processing, with respect of its activities as a controller, and makes the evidence available when it is necessary.

The organisation processes the personal data as a processor only on the basis of documented instructions from the controller governed by a contract or other legal act that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and the categories of data subjects and the obligations and rights of the controller. In this case, the controller determines the lawfulness of the processing.

There are six available legal bases for general processing of personal data. There are ten separate conditions for special category data processing. The options are described in the following sections.

1. Consent

The organisation will always obtain explicit consent from a data subject in order to collect and process their data, unless consent is not required in accordance with the law.

In the case of children under the age of 16 (a lower age may be allowed in specific countries), the consent of a parent or a legal guardian must be obtained.

While requesting for consent, AlgoBrains Solutions informs the data subjects about the organisation's identity, the nature and purpose of the processing, the list of personal data categories for processing, and explains the rights of individuals with regard to their personal data, including the right to withdraw consent. This information is provided in an intelligible and easily accessible form, using clear and plain language.

AlgoBrains Solutions requests separate consent for different purposes and types of processing, and does not use pre-ticked boxes or any other type of default consent in the consent requests.

2. Performance of a Contract

When the collected and processed personal data are required to fulfil contract with the data subject, explicit consent is not required. This will often be the case when the contract cannot be completed without the personal data in question e.g., a delivery cannot be made without an address to deliver to.

3. Legal Obligation

If the personal data is required to be collected and processed in order to comply with the law, then explicit consent is not required. This may be the case for some data related to employment and taxation for example, and for many areas addressed by the public sector.

4. Vital Interests of the Data Subject

In the case when the personal data are required to protect the vital interests of the data subject or another individual, then this necessity may be used as the legal basis of the processing. As an example, this case may be applied to the aspects of social care, particularly in the public sector.

5. Task Carried Out in the Public Interest

When the organisation needs to perform a task that is believed to be in the public interest or presents itself as a part of organisation's official duty then the data subject's consent will not be requested.

6. Legitimate Interests

If the result of data processing or specific personal data are a part of the legitimate interests of the organisation and are judged not to affect the rights and freedoms of the data subject in a significant way, then this may be defined as the legal reason for the processing. AlgoBrains Solutions performs a legitimate interest assessment (LIA) to ensure compliance with the principle of proportionality.

7. Conditions for Special Category Data Processing

Performing its role of a controller the organisation processes special category of personal data only if it has identified one of the following conditions for processing:

the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where the law of the data subject location country does not provide the right of the data subject to cancel the prohibition on processing;

Processing is necessary:

for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law, provided that appropriate safeguards are ensured for the fundamental rights and interests of the data subject;

to protect the vital interests of the data subject or of another individual if the data subject is physically or legally incapable of giving consent;

carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;

for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;

for reasons of substantial public interest provided that suitable and specific safeguards are ensured for the fundamental rights and the interests of the data subject;

for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services;

for the reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, provided that suitable and specific safeguards are ensured for the rights and freedoms of the data subject, in particular professional secrecy;

for archiving purposes of the public interest, scientific or historical research purposes or statistical purposes, provided that suitable and specific safeguards are ensured for the fundamental rights and the interests of the data subject. AlgoBrains Solutions processes personal data related to criminal convictions and offenses only under the control of an official authority, or when the law of the data subject location country permits processing, and only appropriate safeguards are provided for the rights and freedoms of data subjects.

Rights of the data subject

The data subject has the following rights:

Data Subject Request *

Explanation of rights

Timescale

Data Subject Request *

The right to be informed.

Explanation of rights

Individuals have the right to be informed about the collection and use of their personal data.

Timescale

Individuals have the right to be informed about the collection and use of their personal data.

Data Subject Request *

The right of access

Explanation of rights

Individuals have the right to access their personal data.

Timescale

One month.

Data Subject Request *

The right of correction.

Explanation of rights

The right of correction.

Timescale

One month.

Data Subject Request *

The right of erasure.

Explanation of rights

Individuals have the right to have their personal data erased.

Timescale

Without undue delay.

Data Subject Request *

The right to restrict processing.

Explanation of rights

Individuals have the right to obtain and reuse their personal data for their own purposes across different services.

Timescale

One month.

Data Subject Request *

The right of data portability.

Explanation of rights

Individuals have the right to have their personal data erased.

Timescale

Without undue delay.

Data Subject Request *

The right to object

Explanation of rights

Individuals have the right to object to the processing of their personal data

Timescale

On receipt of objection

Data Subject Request *

Rights in relation to automated decision making and profiling

Explanation of rights

Individuals have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal or similarly significant effect on them

Timescale

Not specified.

* The organisation supports each of these rights with appropriate procedures that allow the necessary steps to be taken within the timeframes specified in table 1.

Personal data protection in business activities of the organization

AlgoBrains Solutions takes, or in some cases may take if necessary, a number of organisational and technical measures in its business activities to protect personal data from unauthorised or unlawful processing, as well as from accidental loss, destruction, damage or other illegal actions in respect of personal data.
These measures include:

  • Adopting and implementing regulatory documents for the processing and protection of personal data;
  • taking a 'data protection by design and default' approach – putting appropriate data protection measures in place throughout the entire lifecycle of the processing operations;
  • putting in place written contracts with processors which process personal data on behalf of the organization;
  • documenting its processing activities;
  • implementing appropriate security measures;
  • recording and, where necessary, reporting personal data breaches;
  • carrying out data protection impact assessments for uses of personal data that are likely to result in a high risk to individuals’ interests;
  • appointing a data protection officer (where necessary);
  • adhering to relevant codes of conduct and compliance with certification schemes (where possible).

1. Data Protection by Design and Default

The organisation adopts the principle of “data protection by design and default” and carries out appropriate technical and organisational measures to implement the data protection principles and safeguard individual rights.

In essence, “data protection by design” means that AlgoBrains Solutions has integrated data protection into systems, services, products and business practices, from the design stage right through the lifecycle. The organisation only uses data processors that provide sufficient guarantees of their technical and organisational measures for data protection by design. The organisation takes into account the data protection by design when it purchases products for use in its processing activities.

In fact, “data protection by default” means that AlgoBrains Solutions, in respect of its activities as a controller:

  • specifies the minimum set of personal data required to achieve specific processing purposes before the processing starts;
  • appropriately informs the data subjects;
  • only processes the data necessary for processing purposes;
  • does not process additional personal data until the data subject authorises to do so;
  • ensures that personal data is not automatically available to others until the data subject allows it;
  • ensures that personal data is automatically protected in any IT system, service, product and / or business practice, so that individuals should not have to take any specific actions to protect their privacy;
  • offers strong privacy defaults, user-friendly options and controls, and respect user preferences. The organisation takes into account the use of techniques such as pseudonymisation where applicable and appropriate.

2. Contracts Involving the Personal Data Processing

AlgoBrains Solutions ensures that all relationships it enters into that involve the personal data processing are regulated by documented contracts that include the specific information and conditions required by the law.

Contracts of the organisation include the following compulsory information:

  • specifies the minimum set of personal data required to achieve specific processing purposes before the processing starts;
  • appropriately informs the data subjects;
  • only processes the data necessary for processing purposes;
  • does not process additional personal data until the data subject authorises to do so;

Contracts of the organisation include the following compulsory terms:

  • the processor must only act on the written instructions of the controller (unless required by law to act without such instructions);
  • the processor must ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
  • the processor must take appropriate measures to ensure the security of processing;
  • the processor must only engage a sub-processor with the prior consent of the data controller and a written contract;
  • the processor must assist the data controller to ensure that data subjects exercise their rights in accordance with the law of the data subject location country;
  • the processor must assist the data controller in meeting its obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments;
  • the processor must delete or return all personal data to the controller as requested at the end of the contract;
  • the processor should contribute to audits and inspections provide the controller with whatever information necessary to confirm the processors compliance with his obligations, and notify the controller immediately if it is asked to do something infringing data protection legislation.

AlgoBrains Solutions as a controller only appoints processors who can provide “sufficient guarantees” that the requirements of the law of the data subjects location countries will be observed, and the rights of data subjects will be protected.

3. International Transfers of Personal Data

AlgoBrains Solutions transfers personal data to the third country or the international organisation only if the requirements of the law of the data subjects’ location countries are fully observed, for example, if the transfer of personal data to that third country or international organisation is authorised by the regulatory body without additional authorisation by the supervisory authority, since there is an adequate level of protection that meets the requirements of the law, or if the organisation receiving the personal data has provided appropriate safeguards that comply with the requirements of the law.

Before such transfer AlgoBrains Solutions makes sure, that, as a result, the level of protection of data subjects ensured by law will not be undermined, including the cases of onward transfers of personal data from the third country or an international organisation to controllers, processors in the same or another third country or international organisation.

Following such transfer, individuals’ rights must be enforceable and effective legal remedies for individuals must be available.

4. Documenting Processing Activities

As a controller, AlgoBrains Solutions maintains records of the following categories to document its processing activities:

  • records of processing activities;
  • the legal basis for the processing;
  • records of consent;
  • legitimate Interests Assessment reports;
  • information provided to data subjects;
  • controller-processor contracts;
  • the location of personal data;
  • data Protection Impact Assessment reports;
  • records of personal data breaches.

As a processor, AlgoBrains Solutions maintains records of the following categories to document its processing activities:

  • records of processing activities;
  • controller-processor contracts;
  • the location of personal data;
  • records of personal data breaches.

AlgoBrains Solutions’ undertakings employing fewer than 250 persons do not keep records of processing activities unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of personal data or personal data relating to criminal convictions and offences.

The records are kept in writing. The records are kept up to date and reflect current processing activities.

The organisation makes the records available to the supervisory authority upon request.

5. Implementing Appropriate Security Measures

AlgoBrains Solutions has identified and regularly updates the security threats to personal data, performs risk analysis related to the personal data processing, documents findings and uses them to assess the appropriate level of security that needs to be put in place.

The security threat to personal data means a factor that creates the danger of unauthorised, including accidental, processing of personal data, as well as the accidental or intentional loss, destruction or damage to personal data.

AlgoBrains Solutions has allocated responsibility for information security to certain employees and teams and provided them with the appropriate resources and authority. Employees who are authorized by the organization to process personal data, before starting to work with personal data, undertake responsibility to comply with confidentiality and other requirements of the Policy.

AlgoBrains Solutions’ undertakings have an information security rules and take the necessary steps to implement it. Where required, AlgoBrains Solutions’ undertakings adopt additional regulatory documents and ensure that controls are in place to enforce them.

AlgoBrains Solutions regularly reviews its information security regulatory documents and, if necessary, improves them. AlgoBrains Solutions conducts regular testing and reviews of its information security measures to ensure they remain effective, and act on the results of those tests where they highlight areas for improvement.

AlgoBrains Solutions’ undertakings keep records of assets involved in the personal data processing (applications, systems, personnel, and media).

AlgoBrains Solutions uses encryption and/or pseudonymisation, where it is appropriate to do so.

AlgoBrains Solutions’ undertakings mandatory use cryptographic security means if personal data is transmitted through open communication channels.

AlgoBrains Solutions’ undertakings have proper backup processes so that they can restore integrity and access to personal data in the event of any incidents, as soon as reasonably possible.

AlgoBrains Solutions’ undertakings make sure that any data processor they are using also implements appropriate technical and organizational measures.

AlgoBrains Solutions’ undertakings provide the necessary physical security measures to protect premises, equipment and information from unauthorized access.

AlgoBrains Solutions has defined business continuity arrangements that protect and recover any personal data the organization holds.

AlgoBrains Solutions conducts appropriate initial and refresher training for personnel involved in data processing on data protection issues and, including, inter alia, personal data processing duties, employees responsibility for personal data protection, rules and restrictions for employees to use the systems and services (for example, to avoid virus infection or spam).

6. Personal Data Breaches

The organisation has prepared a response plan for addressing any personal data breaches that may occur. AlgoBrains Solutions has allocated responsibility for managing breaches to certain employees and teams. The organisation’s employees know how to escalate a security incident to the proper responsible person or team in AlgoBrains Solutions to determine whether a breach has occurred.

AlgoBrains Solutions adopted a process to notify the supervisory authority of a breach within 72 hours after becoming aware of it, even if there are still no details. The organisation adopted a process to inform without undue delay the affected individuals about a breach, when it is likely to result in a high risk to their rights and freedoms. The organisation’s Data Protection Officers supervise the process of notifying the data subjects and supervisory authorities of the personal data breaches.

AlgoBrains Solutions documents all breaches, even if not all of them are in need to be reported.

7. Data Protection Impact Assessment (DPIA)

As a controller, AlgoBrains Solutions does a DPIA when personal data processing is likely to result in a high risk to individuals. The organisation considers expediency of fulfilment of a DPIA in any major project involving the personal data processing carried out as the controller. If AlgoBrains Solutions decides not to carry out a DPIA, it will document the reasons.

DPIA must:

  • describe the nature, scope, context and purposes of the processing;
  • assess the need for processing and proportionality to the purposes;
  • identify and assess risks to individuals;
  • identify any measures to mitigate those risks and to confirm compliance with legislation.

If the organisation identifies a high risk that it cannot mitigate, it should consult the supervisory authority before starting the processing.

8. Data Protection Officer (DPO)

AlgoBrains Solutions is not required to appoint a DPO, since it is not a public authority or body, does not perform large-scale monitoring, and does not process special categories of personal data on a large scale, but it has decided to do so voluntarily. The organisation understands that the same duties and responsibilities apply as with the mandatory appointment of DPO. AlgoBrains Solutions appoints the DPO at the head office and, if necessary, at some undertakings of the organisation.

AlgoBrains Solutions tasked its DPOs to monitor compliance with data protection laws and organisation’s data protection regulatory documents, awareness raising, employees training and the related audits. AlgoBrains Solutions timely involves its DPOs on all issues relating to the personal data protection.

The organisation’s DPOs inform and advise the employees of the organisation who carry out the personal data processing on their obligations under the data protection legislation.

The DPO of the head office reports directly to the top management of the organisation. The DPOs of other AlgoBrains Solutions’ undertakings cooperate with the DPO of the head office and report to the management of their enterprises and the top management of the organisation. All organisation’s DPOs are given the required independence to perform their tasks.

The organisation’s DPOs are easily accessible as the contact points for our employees, individuals and supervisory authorities. AlgoBrains Solutions published the contact details of its DPOs and communicated them to the supervisory authority.

9. Compliance with codes of conduct and certification systems

Professional associations and representative bodies may prepare codes of conduct covering topics such as fair and transparent processing, the legitimate interests pursued by controllers, pseudonymisation and the exercise of human rights, etc.

In addition, supervisory authorities or accredited certification bodies may issue certificates of compliance with the legislative requirements of data processing activities.

Compliance with the code of conduct and obtaining a certificate are voluntary, but the organisation sees them as an excellent way to monitor and demonstrate compliance with the requirements for the personal data protection.